ISN 2022-10: Firefox Vulnerabilities

Updated 2nd June 2022 (IGEL OS 11.07.140 available)

First published 19th April 2022

CVSS 3.1 Base Score: 7.5 (High)

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

Multiple vulnerabilities have been found in the Firefox ESR Browser. This affects the following IGEL products:

• IGEL OS 11
• IGEL OS 10

Details

The Firefox ESR Browser used in IGEL OS is affected by seven security issues rated as high. This includes a browser window spoof using fullscreen mode (CVE-2022-26383) and a bypass for the JavaScript sandbox in iframes (CVE-2022-26384). Another vulnerability affects the verification of add-on signatures: When installing an add-on, Firefox verifies the signature before prompting the user; but while the user is confirming the prompt, the underlying add-on file can be modified, and Firefox would not notice (CVE-2022-26387). The other defects concern memory safety. A full list of CVEs is available in the Mozilla advisories listed in "References".

Mitigation

CVE-2022-26387 can be mitigated by not installing new add-ons until a fixed version of Firefox ESR has been installed.

Update Instructions

• IGEL OS 11: Update to IGEL OS version 11.07.140 or newer.
• IGEL OS 10: Upgrade to IGEL OS version 11.07.140 or newer.

References

• Mozilla Foundation Security Advisory 2022-14: https://www.mozilla.org/en-US/security/advisories/mfsa2022-14/
• Mozilla Foundation Security Advisory 2022-11: https://www.mozilla.org/en-US/security/advisories/mfsa2022-11/